Mechanical Turk vs. CAPTCHA: An InfoSec Lesson

I’ve always hated the “THING is dead. Long live the THING” cliché, but I’m going to use it here for CAPTCHA.

CAPTCHA raises the cost of attacking something, which improves its security. It’s that simple. The question is simply how much you raised the cost vs. the dedication and resources of the attacker.

For a random, uninteresting blog, by using a good CAPTCHA you’ve probably raised the cost of attacking it beyond what most attackers will pay. For something valuable, however, like attacking a virtual economy, or gaining access to email accounts that can be used for spam, you probably haven’t.

Using services like Mechanical Turk, which pay people to solve CAPTCHAs, this line of defense is trivially broken.

It’s important to understand that this doesn’t mean that CAPTCHAs are “lame” or “good”. Those are objective terms being used in a subjective context, i.e. one in which we’re talking about how interested and resourced an attacker is vs. how valuable a target is.